A previously unknown ring of Russian-language hackers has stolen as much as $10 million from U.S. and Russian banks in the last 18 months, according to a Moscow-based cyber-security firm that runs the largest computer forensics laboratory in eastern Europe.
The hackers, who also breached a U.K. software and service provider, are now probing institutions in Latin America and may be trying to compromise the Swift international bank messaging service, according to the security firm, whose clients range from Russia’s biggest lender Sberbank PJSC to Raiffeisen Bank International AG. “Criminals have changed tactics and are now focusing on banks rather than their clients, as was standard operating procedure in the past,” Dmitry Volkov, the head of Group-IB’s cyber intelligence department, said by phone.
Since its first successful breach in May 2016, MoneyTaker has stolen from banks in New York, California, Utah and Moscow, primarily targeting smaller institutions with limited cyber defenses, Group-IB found.
The average haul from U.S. banks was about $500,000, and it stole over $3 million from three Russian lenders.
Group-IB said the U.S. banks were targeted by gaining access to their card-processing system and then opening accounts at the compromised institutions.
Russia is all over the internet, using it for everything from stealing money, to geopolitical operations, to stealing intellectual property, and more. Do not expect the Russians to cease anytime soon considering how lucrative, and inexpensive it is to use cyber for these attacks
Bangladesh’s central bank is unlikely to extend the contract of U.S. cyber security firm FireEye to investigate the electronic theft of $81 million of its money, sources at the bank said on Wednesday, citing high costs as one of the factors.
I have to wonder if there is more to this story than meets the eye. Mandiant, while an exceptionally talented team of forensics experts, may be struggling to accurately determine exactly what happened, thus causing the bank to lose confidence in their ability to meet contract requirements.
FireEye’s Mandiant forensics division was hired by Bangladesh Bank weeks after the cyber heist in early February. It said in an interim report that hackers took control of the bank’s network, stole credentials for sending messages on the SWIFT transactions system and used “sophisticated” malicious software to attack the computers the bank uses to process and authorize transactions.
Mandiant has said it needs 570 hours of more work to complete its investigations, a director on the board of Bangladesh Bank told Reuters. The bank has already paid about $280,000 to the company at an hourly rate of $400, he and other officials said on condition of anonymity.
Unbelievable cost. This could, quite possibly, be the reason for FireEye getting dumped. There is no reason they should be charging this much, unless their goal was to take advantage of the Bangladesh central bank.
“Larger banks are getting harder to penetrate since they’ve invested in security for years. They’ve had their big breach through which they get religion, they get spend [more budget] and they get harder,” said Bill Stewart, an EVP with Booz Allen BAH 0.69% . “Now, the adversaries are moving down the food chain.” In practice, this means the same hackers who once targeted big banks are seeking easier prey: credit unions, small hedge funds, PR firms, and a wide variety of other mid-tier enterprises.
The attackers are led by mafia-like criminal gangs but also outfits like Lazarus, which hit the Bangladesh central banks, and which is widely believed to be tied to the government of North Korea. According to McArdle of eSentire, some nation states are expanding their hacking targets as a way to fund their cyber-military capacities.
He added that the mid-tier firms, now the targets of hackers of all stripes, can be defined as companies that lack resources for chief security officers, and other full-time defense operations.
If you are a financial institution, there is no excuse for not having full-time defensive operations, or a 24/7 security operations center.
In response to the attempted hacks, Bank Indonesia (BI) has blocked 149 regions that don’t usually access its website, including several small African countries, Deputy Governor Ronald Waas said in an interview late on Monday.
He said several central banks were hit by similar attacks and were sharing the IP addresses used by the perpetrators.
Central banks have been on high alert in the wake of revelations that hackers issued fraudulent money transfers to steal $81 million from the Bangladesh central bank in February.
No money was lost in the attacks on Bank Indonesia and the Bank of Korea, which were mainly DDoS (Distributed Denial of Service) attempts, the officials said.
There was no word on who the hackers were.
Waas said the cyber attacks were unsuccessful because of the cooperation between central banks.
“There is regional cooperation between central banks. Those who have gotten hit are sharing their experiences,” he said.
Cooperation vertically within an industry, as well as horizontally across multiple industries, is a key component of a strong defense against cyber attacks.